RSS Alerts

Share

More services

Related Stories

  • NIST body backs beefing up cybersecurity in smart grid standards
    The Smart Grid Interoperability Panel’s (SGIP) Cyber Security Working Group (CSWG) is recommending cybersecurity measures be beefed up in the smart grid standards for wireless communications and smart metering the next time they are revised, according to CSWG Chair Marianne Swanson.
  • NIST pub 'fundamentally' changes federal information security management
    The new federal government information security management publication issued by the National Institute for Standards and Technology (NIST) will “fundamentally change the way we manage our information security related risks today”, said one of its authors, Ron Ross.
  • NIST provides advice on securing full virtualization technologies
    The National Institute of Standards and Technology (NIST) has issued the final version of its recommendations for securely configuring and using full virtualization technologies, which allow multiple operating systems to run on a single platform.
  • NIST website provides data on online trusted identities program
    As part of the White House’s National Strategy for Trusted Identities in Cyberspace (NSTIC), the National Institute for Standards and Technology (NIST) has launched a website devoted to information on the strategy.
  • NIST develops federal unified information security framework
    The National Institute of Standards and Technology (NIST) is working with the national security agencies to develop a unified information security framework for the federal government. The latest product of this effort is a draft report examining enterprise-wide risk management.

Top 5 Stories

News

NIST recommends security measures for cloud subscribers

20 May 2011

The National Institute of Standards and Technology (NIST) has issued a draft guide to cloud computing that includes a number of recommendations to enhance security in the cloud environment.

The draft guide, NIST Cloud Computing Synopsis and Recommendations (Special Publication 800-146), provides information for IT decision makers interested in moving into the cloud.

“Information security in the cloud is a real challenge”, said Lee Badger, an IT specialist with the NIST’s Computer Security Division and one of the authors of the publication.

“There are several factors to consider. One is that cloud systems, at least in some of their configurations, are outsourced system. Therefore, for one to have confidence that the system is treating your data with due care, one has to have confidence that the people who are running that system are exercising the care you think is appropriate”, Badger told Infosecurity.

“The importance of the boundaries that separate cloud users is high” in terms of security, Badger noted. Also, “you may not know geographically where your data is located. That might reduce confidence”, he said.

At the same time, the cloud places resources under a common administration; therefore, organizations that use the cloud can benefit from the security expertise of the cloud provider, he added.

In the publication, NIST recommends that organizations take a number of steps to ensure that their data is secure when they move to the cloud.

First, organizations should employ best practices for web browser security and patching and seek to minimize browser exposure to possibly malicious websites.

Second, organizations should require that strong encryption is used for web sessions whenever a rented application requires the confidentiality of application interactions with other applications or data transfers. Also, subscribers should require that the same diligence is applied to stored data.

Third, they should consider physical plant security practices and plans at provider sites as part of their overall risk considerations when selecting a provider. Cloud subscribers should write plans for recovery from physical attacks, investigate whether a provider offers redundancy, and opt for a provider that is not tied to a specific geographic location in case of natural disasters or other disruptions.

Fourth, organizations should consider the use of authentication tokens, which some providers offer, to mitigate the risk of account hijacking.

Fifth, they should have visibility into the authentication and access control mechanisms that the provider infrastructure supports, the tools that are available for cloud subscribers to provision authentication information, and the tools to input and maintain authorizations for subscriber users without the intervention of the provider.

Sixth, organizations should benchmark current performance scores for an application, and then establish key performance score requirements before deploying that application to a provider’s site. Key performance scores include responsiveness for interactive user applications, and bulk data transfer performance for applications that must input or output large quantities of data on an ongoing basis.

And finally, organizations should request that a provider allow visibility into the operating services that affect their data or operations on that data.

NIST is seeking industry comments on the draft guide to cloud computing. Comments should be sent to 800-146comments@nist.gov by June 13.

This article is featured in:
Cloud Computing • Compliance and Policy  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012